From a5e62f3c796c48522ed4d57a7f5c9ac70a86e8e0 Mon Sep 17 00:00:00 2001
From: axi92 <axi92@users.noreply.github.com>
Date: Mon, 26 Aug 2024 11:05:30 +0200
Subject: [PATCH] build: add attest provenance with lint and release workflow
 (#29)

---
 .github/dependabot.yml            |  6 ++--
 .github/workflows/android.yml     | 46 +++++++++++++++----------------
 .github/workflows/lint.yml        | 42 ++++++++++++++++++----------
 .github/workflows/release.yml     | 14 +++++++---
 .github/workflows/semantic-pr.yml |  2 +-
 .github/workflows/test.yml        | 38 ++++++++++---------------
 6 files changed, 79 insertions(+), 69 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index e6d83f8..3269b62 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,7 +5,7 @@
 
 version: 2
 updates:
-  - package-ecosystem: "npm" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: 'npm' # See documentation for possible values
+    directory: '/' # Location of package manifests
     schedule:
-      interval: "monthly"
\ No newline at end of file
+      interval: 'monthly'
diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml
index d1bf0a2..06ea4f0 100644
--- a/.github/workflows/android.yml
+++ b/.github/workflows/android.yml
@@ -1,35 +1,35 @@
 name: Android
 on:
   push:
-    branches: [ "main" ]
+    branches: ['main']
   pull_request:
-    branches: [ "main" ]
+    branches: ['main']
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
 
-    - name: Set up JDK 17
-      uses: actions/setup-java@v3
-      with:
-        java-version: '17'
-        distribution: 'temurin'
+      - name: Set up JDK 17
+        uses: actions/setup-java@v3
+        with:
+          java-version: '17'
+          distribution: 'temurin'
 
-    - name: Setup Android SDK
-      uses: android-actions/setup-android@v3
+      - name: Setup Android SDK
+        uses: android-actions/setup-android@v3
 
-    - name: Setup Nodejs
-      uses: actions/setup-node@v4
-      with:
-        node-version: '22'
-    - run: |
-        corepack yarn
-        cd example && yarn install
+      - name: Setup Nodejs
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+      - run: |
+          corepack yarn
+          cd example && yarn install
 
-    - name: Build android example app
-      run: yarn build:android
-      env:
-        GH_USERNAME: ${{ vars.USERNAME }}
-        # PAT has read:packages permissions
-        GH_TOKEN: ${{ secrets.TOKEN }}
\ No newline at end of file
+      - name: Build android example app
+        run: yarn build:android
+        env:
+          GH_USERNAME: ${{ vars.USERNAME }}
+          # PAT has read:packages permissions
+          GH_TOKEN: ${{ secrets.TOKEN }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 1d11128..daf25bb 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -3,23 +3,35 @@
 name: Node.js lint
 on:
   push:
-    branches: [ "main" ]
+    branches: ['main']
   pull_request:
-    branches: [ "main" ]
+    branches: ['main']
+permissions:
+  id-token: write
+  attestations: write
 jobs:
   lint_typecheck:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: [lts/*]
-        # See supported Node.js release schedule at https://nodejs.org/en/about/previous-releases
+    permissions:
+      id-token: write
+      attestations: write
     steps:
-    - uses: actions/checkout@v3
-    - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v4
-      with:
-        node-version: ${{ matrix.node-version }}
-        cache: 'yarn'
-    - run: yarn
-    - run: yarn lint
-    - run: yarn typecheck
+      - uses: actions/checkout@v3
+      - name: Setup nodejs
+        uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+          cache: 'yarn'
+      - run: yarn
+      - run: yarn lint
+      - run: yarn typecheck
+      - run: yarn pack --out '%s_%v.tgz'
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: package
+          path: '${{ github.workspace }}/*.tgz'
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: '${{ github.workspace }}/*.tgz'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d143632..3cbccce 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,11 +6,11 @@ on:
         type: choice
         description: What type of release?
         options:
-        - patch
-        - minor
-        - major
+          - patch
+          - minor
+          - major
 
-concurrency : ${{ github.workflow }}-${{ github.ref }}
+concurrency: ${{ github.workflow }}-${{ github.ref }}
 
 jobs:
   publish:
@@ -19,6 +19,7 @@ jobs:
       contents: write
       packages: write
       id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -66,3 +67,8 @@ jobs:
         run: npx release-it ${{ github.event.inputs.input_version }} --ci
         env:
           BOT_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
+
+      - name: Attest
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: '${{ github.workspace }}/*.tgz'
diff --git a/.github/workflows/semantic-pr.yml b/.github/workflows/semantic-pr.yml
index 6839e8c..c2e8afb 100644
--- a/.github/workflows/semantic-pr.yml
+++ b/.github/workflows/semantic-pr.yml
@@ -1,4 +1,4 @@
-name: "Semantic PR Title"
+name: 'Semantic PR Title'
 
 on:
   pull_request_target:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 880cc2e..49a46c2 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -3,48 +3,40 @@
 name: Test
 on:
   push:
-    branches: [ "main" ]
+    branches: ['main']
   pull_request:
-    branches: [ "main" ]
+    branches: ['main']
 jobs:
   test-web:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: [lts/*]
-        # See supported Node.js release schedule at https://nodejs.org/en/about/previous-releases
     steps:
-    - uses: actions/checkout@v3
-    - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v4
-      with:
-        node-version: ${{ matrix.node-version }}
-        cache: 'yarn'
-    - run: yarn
-    - run: yarn test
+      - uses: actions/checkout@v3
+      - name: Setup NodeJS
+        uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+          cache: 'yarn'
+      - run: yarn
+      - run: yarn test
 
   test-ios:
     runs-on: macos-latest
-    strategy:
-      matrix:
-        node-version: [lts/*]
-        # See supported Node.js release schedule at https://nodejs.org/en/about/previous-releases
     steps:
       - uses: actions/checkout@v3
-      - name: Use Node.js ${{ matrix.node-version }}
+      - name: Setup NodeJS
         uses: actions/setup-node@v4
         with:
-          node-version: ${{ matrix.node-version }}
+          node-version: lts/*
           cache: 'yarn'
       - uses: ruby/setup-ruby@v1
         with:
           ruby-version: '3.3'
           bundler-cache: true
-      - name: "Get Ruby Version"
+      - name: 'Get Ruby Version'
         run: ruby --version
       - uses: SwiftyLab/setup-swift@latest
         with:
-          swift-version: "5.10.0"
+          swift-version: '5.10.0'
       - name: Get Swift Version
         run: swift --version
       - name: Get Xcode version
@@ -115,7 +107,7 @@ jobs:
           corepack enable
           yarn
       - name: Run Gradle
-        if: steps.cache-gradle.outputs.cache-hit != 'true'
+        if: steps.cache-test-android-gradle.outputs.cache-hit != 'true'
         run: example/android/gradlew
       - name: Run Tests
         run: make test-android